– %APPDATA%\%random character string%\%random character string%.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Injector.UT

– %APPDATA%\%random character string%\%random character string%– %APPDATA%\%random character string%\%random character string%– %TEMPDIR%\%random character string%.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

Registry

The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] • "%random character string%"="%APPDATA%\%random character string%\%random character string%.exe"

Miscellaneous

Internet connection: In order to check for its internet connection the following DNS server is contacted: • ehalgr**********a.ru Accesses internet resources: • krugvkube.ru/pepp**********le.php